Researchers find 'proof' of Flame-Stuxnet link

By Kevin McCaney

Jun 11, 2012

The ultra-sophisticated Flame spyware recently found attacking systems in the Middle East and Europe shared some of its code with Stuxnet, the malware that disrupted Iran’s nuclear program in 2010, according to researchers who have studied both worms.

Researchers at Kaspersky Labs write in a blog post that a module, called “Resource 207,” in the earliest known version of Stuxnet was a plug-in from Flame, which was created earlier.

Security experts had found some hints that Flame was related to Stuxnet and another information-gathering program, Duqu, but the Kaspersky team said the latest discovery is the first proof that the malware programs share the same origins. Recent news reports have said those origins are the United States and Israel, which reportedly developed Stuxnet as part of a cyber offensive targeting Iran’s development of nuclear weapons.

Meanwhile, additional research on Flame by cryptography experts has determined that Flame used a previously unknown variant of a collision attack that would require “world-class” cryptographers to design it.

Cryptanalyst Marc Stevens of CWI in Amsterdam, who designed such an attack in 2008 to prove that the commonly used MD5 hashing algorithm could be broken, wrote on the CWI website that Flame “fulfills a long-standing nightmare for security engineers: It is able to mask itself as a valid Windows Update and thus ironically can spread itself as a security patch.”

The malware used a heretofore unseen variation of a “chosen prefix collision attack” to hack into the Windows Update systems and forge Microsoft certificates, which could sign malicious code to make it appear it was coming from Microsoft. The use of an unknown variant “has led to our conclusion that the design of Flame is partly based on world-class cryptanalysis," Stevens wrote.

Flame, also known as Flamer and sKyWIper, was discovered in May infecting a relatively small, targeted number of computers. Most of the targets were in Iran and the Palestinian West Bank, but others turned up elsewhere in the Middle East and Europe. It’s a huge program by malware standards, at 20M when all of its modules are deployed, and was described as a full-featured spyware program that also was good at covering its tracks.

Although Stuxnet was discovered in 2010, it apparently came after Flame, parts of which date to at least 2007. And although researchers initially thought Flame and Stuxnet might have come from the same program, they thought the malware was the work of two different teams. Kaspersky now says they started with some of the same code, with two development teams later working separately beginning in 2010, when “Resource 207” was replaced in Stuxnet by other modules.

From the time they were discovered, the complexity of Stuxnet, Duqu and Flame led security experts to speculate that they were the work of a nation-state. And because they all share Iran as a primary target, suspicion fell on the United States and Israel.

The New York Times, citing unidentified government sources, reported that Stuxnet was part of a secret cyber program, dubbed Olympic Games, started in the Bush administration and accelerated by the Obama administration, and targeting Iran nuclear program.

However, U.S. officials said Flame was not part of Olympic Games, according to the Times article, which was adapted from David E. Sanger’s just-released book, “Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power.”

As further evidence of Flame’s sophistication, shortly after it was discovered Symantec reported that some of its command-and-control servers began issuing “suicide” commands to remove Flame from infected machines.